What ACL rules do I need to give a client object to make the chef_vault_secret resource work?


I’m trying to make a chef-vault secret using the chef_vault_secret resource provided by the chef-vault cookbook.

I have It running just fine using mocked objects in test kitchen and chef zero, but I’m running into an ACL problem when I try to spin it up on a real server.

This is the basic idea of my recipe code:
chef_vault_secret(“grafana”) do
action [:create_if_missing]
data_bag "secrets"
raw_data {“adminuser”=>“admin”, “adminpass”=>“not_random_password”}
admins [“alice”, “bob”, “carol”, “dave”, “eve”]
search "recipes:myorg-grafana::default"

It looks like my client is trying to access the users endpoint on the chef server for the first admin user in my array, but is getting denied:

2015-11-16 19:35:29.188 [error] {<<"method=GET; path=/users/alice; status=401; ">>,“Unauthorized”}


I think I ran into something similar. I had things working fine with chef-provisioner using chef-zero but when I ported everything to my chef server it was failing.

I didn’t take time to dig into the cause but would love to know what’s needed perms wise to get it to work also. :smile:


According to what I remember, the client has to have read permission on all nodes and all users, and read/write permissions on the databag container to create it.

Edit: I’m unsure the web-ui let you do this, you’ll have to give the perms with knife-acl


This is the knife-acl stuff that I did to ensure that my my test chef server had the databag and that my test node’s client object had access to the databag.

knife data bag create secrets
knife group create secrets_writers
knife acl add group secrets_writers data secrets create,read,update,delete
knife group add client grafana-chefvault-billtest secrets_writers

I have no idea how to grant the client object access to the users endpoint.

This would seem to indicate that it cannot be done:

these chef-vault cookbook issues seem to indicate that other people have had similar problems with this resource: